Understanding SELinux
Tom London
selinux at gmail.com
Sun Dec 5 17:57:19 UTC 2004
On Sun, 05 Dec 2004 11:38:04 +0100, Giuseppe Greco
<giuseppe.greco at agamura.com> wrote:
> Thanks Tom,
>
> the situation is now much better... I'm able to start squid,
> but I still get the following two error messages:
>
> Starting squid: audit(1102241826.255.0): avc: denied { getattr } for
> pid=2435 exe=/usr/sbin/squid path=/boot dev=hda1 ino=2
> scontext=root:system_r:squid_t tcontext=system_u:object_r:boot_t
> tclass=dir
>
> audit(1102241826.255.0): avc: denied { getattr } for
> pid=2435 exe=/usr/sbin/squid path=/tmp dev=dm-3 ino=2
> scontext=root:system_r:squid_t tcontext=system_u:object_r:tmp_t
> tclass=dir
>
> It looks like there are problems with directories /boot and /tmp...
>
> What's strange is that I get these error messages on a machine where
> I just upgraded from FC1 to FC3... I've also another machine on
> which I installed FC3 from scratch and here I've no problems at all.
>
I'm running strict/enforcing with latest Rawhide packages
(selinux-policy-strict-1.19.10-4)
If I change to permissive mode (via 'setenforce 0')
and start squid (via '/etc/init.d/squid start') I get the following:
Dec 5 09:47:34 fedora kernel: audit(1102268854.527:0): avc: denied
{ write } for pid=3455 exe=/bin/bash name=squid dev=hda2 ino=4457453
scontext=root:system_r:initrc_t tcontext=system_u:object_r:squid_log_t
tclass=dir
Dec 5 09:47:34 fedora kernel: audit(1102268854.527:0): avc: denied
{ add_name } for pid=3455 exe=/bin/bash name=squid.out
scontext=root:system_r:initrc_t tcontext=system_u:object_r:squid_log_t
tclass=dir
Dec 5 09:47:34 fedora kernel: audit(1102268854.528:0): avc: denied
{ create } for pid=3455 exe=/bin/bash name=squid.out
scontext=root:system_r:initrc_t tcontext=root:object_r:squid_log_t
tclass=file
Dec 5 09:47:35 fedora squid[3458]: Squid Parent: child process 3460 started
With squid successfully running.
This indicates that the policy may need some additional
rules, like:
allow initrc_t squid_log_t:dir { add_name write };
allow initrc_t squid_log_t:file create;
But I don't get the messages you get.
I'm running squid-2.5.STABLE7-1. This the same as you?
tom
--
Tom London
More information about the fedora-selinux-list
mailing list